name: Checks

permissions:
  id-token: write
  contents: read

env:
  VAULT_NAME: bvdbkeyweavetweukvt1

on:
  push:
    branches: [ main ]
    paths: [ 'bicep/**', 'src/**', 'Cargo.toml', 'Cargo.lock', '.github/workflows/e2e.yml' ]
  pull_request:
    branches: [ main ]
    paths: [ 'bicep/**', 'src/**', 'Cargo.toml', 'Cargo.lock', '.github/workflows/e2e.yml' ]

jobs:
  build:
    name: Build Keyweave
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: dtolnay/rust-toolchain@stable
    - name: Build project
      run: cargo build --all --release
    - name: Archive binary artifact
      uses: actions/upload-artifact@v3.1.3
      with:
        path: target/release/keyweave

  bicep:
    name: Deploy Azure resources
    environment: bicep
    runs-on: ubuntu-latest
    env:
      LOCATION: eastus
      DEPLOYMENT_NAME: keyweave-${{ github.run_id }}
    steps:
    - uses: actions/checkout@v3
    - uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - name: Deploy Bicep template
      uses: azure/arm-deploy@v1
      with:
        scope: subscription
        region: ${{ env.LOCATION }}
        template: bicep/main.bicep
        parameters: bicep/main.params.json
        deploymentName: ${{ env.DEPLOYMENT_NAME }}

  none-test:
    name: Tests without access
    needs: [build, bicep]
    runs-on: ubuntu-latest
    environment: none
    steps:
    - uses: actions/download-artifact@v3.0.2
    - uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - name: Use Keyweave with No Access Policies
      run: ./keyweave --vault-name ${{ env.VAULT_NAME}}

  get-test:
    name: Tests with Get access
    needs: [build, bicep]
    runs-on: ubuntu-latest
    environment: get
    steps:
    - uses: actions/download-artifact@v3.0.2
    - uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - name: Use Keyweave with Only Get Access Policy
      run: ./keyweave --vault-name ${{ env.VAULT_NAME}}

  list-test:
    name: Tests with List access
    needs: [build, bicep]
    runs-on: ubuntu-latest
    environment: list
    steps:
    - uses: actions/download-artifact@v3.0.2
    - uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - name: Use Keyweave with Only List Access Policy
      run: ./keyweave --vault-name ${{ env.VAULT_NAME}}
  get-list-test:
    name: Tests with Get and List access
    needs: [build, bicep]
    runs-on: ubuntu-latest
    environment: getlist
    steps:
    - uses: actions/download-artifact@v3.0.2
    - uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - name: Use Keyweave with both Get and List Access Policies
      run: ./keyweave --vault-name ${{ env.VAULT_NAME}}